How to Set Up Work Folders for Data Synchronisation on Windows Server 2025

How to Set Up Work Folders for Data Synchronisation on Windows Server 2025

Work Folders is a Microsoft file synchronisation service built directly into Windows Server, designed to give users access to their work files on any device — domain-joined or not — without routing data through a public cloud. Unlike OneDrive for Business, Work Folders keeps your data entirely on-premises, making it an appealing choice for organisations with strict data residency, regulatory, or sovereignty requirements. Introduced in Windows Server 2012 R2 and continuously improved, Work Folders in Windows Server 2025 supports encrypted sync shares, device policy enforcement, and integration with Web Application Proxy for secure external access. This tutorial covers the complete setup process from role installation through to monitoring sync activity in production.

Prerequisites

• Windows Server 2025 joined to an Active Directory domain
• An NTFS volume with adequate capacity for user data stores
• Active Directory user accounts; Work Folders maps one sync share per user alias
• SSL certificate issued to the Work Folders FQDN (e.g., workfolders.contoso.com) for HTTPS — required for external access
• PowerShell running as Administrator
• Clients running Windows 10 version 1507 or later, or Windows 11

Step 1: Install the Work Folders Role Service

Work Folders is a role service within the File and Storage Services role. Install it with Install-WindowsFeature. The IIS web server components are installed automatically because Work Folders exposes a HTTPS REST endpoint that clients use to synchronise data.

# Install Work Folders role service (includes IIS dependencies)
Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementTools

# Confirm installation
Get-WindowsFeature -Name FS-SyncShareService | Select-Object Name, InstallState

# Also verify the SyncShare module loaded
Get-Command -Module SyncShare

After installation, the SyncShare PowerShell module is available and the Work Folders IIS site is created. By default it listens on port 443. You will bind your SSL certificate to this site in a later step.

Step 2: Create the User Data Directory Structure

Work Folders creates a per-user subfolder automatically, but the root path must exist and have the correct NTFS permissions before you create the sync share. The recommended pattern is to give only SYSTEM and Administrators access to the root; Work Folders creates and ACLs the per-user sub-folders itself.

# Create the root data folder
New-Item -ItemType Directory -Path "E:WorkFolders" -Force

# Remove inherited permissions and lock down to SYSTEM + Administrators only
icacls "E:WorkFolders" /inheritance:d
icacls "E:WorkFolders" /remove:g "BUILTINUsers"
icacls "E:WorkFolders" /grant "NT AUTHORITYSYSTEM:(OI)(CI)F"
icacls "E:WorkFolders" /grant "BUILTINAdministrators:(OI)(CI)F"

Write-Host "Data root secured. Work Folders will manage per-user sub-folders."

Step 3: Create a Sync Share

A sync share defines which users get a synchronised folder and maps their data to a physical path on the server. In the most common configuration, a single sync share serves all domain users via the %username% token.

# Create a sync share for all domain users
New-SyncShare `
    -Name "UserData" `
    -Path "E:WorkFolders" `
    -Description "Work Folders sync share for all domain users" `
    -User "DOMAINDomain Users" `
    -RequireEncryption $true `
    -RequirePasswordAutoLock $true

# Verify the sync share
Get-SyncShare -Name "UserData" | Format-List

Key parameters explained:

• -User: Specifies which AD groups or users are permitted to synchronise. You can pass multiple values as an array: -User "DOMAINSalesTeam","DOMAINFinanceTeam".
• -RequireEncryption $true: Mandates that the client device encrypts its local Work Folders data store using BitLocker or device encryption. Devices that cannot comply are denied sync.
• -RequirePasswordAutoLock $true: Forces the client device to have a screen lock with a password/PIN. This prevents someone from accessing work data on an unattended unlocked device.

Step 4: Bind the SSL Certificate to the Work Folders IIS Site

Work Folders communicates exclusively over HTTPS. You must bind a trusted SSL certificate to the Work Folders IIS site before clients can connect — especially external clients.

# Import a PFX certificate (replace with your actual cert path and thumbprint)
$certPath   = "C:Certsworkfolders-contoso.pfx"
$certPass   = Read-Host -AsSecureString -Prompt "PFX Password"
$cert       = Import-PfxCertificate -FilePath $certPath `
                                    -CertStoreLocation "Cert:LocalMachineMy" `
                                    -Password $certPass

Write-Host "Certificate thumbprint: $($cert.Thumbprint)"

# Bind the certificate to the Work Folders IIS site (port 443)
Import-Module WebAdministration
$siteName = "Work Folders"

# Remove any existing HTTPS binding
Get-WebBinding -Name $siteName -Protocol https | Remove-WebBinding

# Add new binding with the imported certificate
New-WebBinding -Name $siteName -Protocol https -Port 443 -IPAddress "*" -SslFlags 0
$binding = Get-WebBinding -Name $siteName -Protocol https
$binding.AddSslCertificate($cert.Thumbprint, "My")

Write-Host "SSL certificate bound to '$siteName' IIS site on port 443."

Step 5: Configure External Access via Reverse Proxy

For users outside the corporate network, Work Folders traffic must be proxied through a perimeter device. Windows Server 2025 supports Web Application Proxy (WAP) — a role service on a DMZ server — as well as third-party reverse proxies such as nginx or HAProxy. The server-side URL that clients use is configured via Set-SyncServerSetting.

# Set the external URL that clients use to reach the Work Folders endpoint
# This is the public FQDN fronted by the reverse proxy
Set-SyncServerSetting -WorkFolderUrl "https://workfolders.contoso.com"

# Verify
Get-SyncServerSetting | Select-Object WorkFolderUrl

# --- On the WAP server (separate DMZ server) ---
# Publish Work Folders as a pass-through application
# (Run this on the WAP server after installing Web-Application-Proxy feature)
Add-WebApplicationProxyApplication `
    -Name "Work Folders" `
    -ExternalPreAuthentication PassThrough `
    -ExternalUrl "https://workfolders.contoso.com/" `
    -BackendServerUrl "https://wf-server.contoso.local/" `
    -DisableTranslateUrlInRequestHeaders $false

If you prefer nginx, add a server block that proxies HTTPS traffic to the internal Work Folders server, ensuring proxy_ssl_verify is enabled and the backend certificate is trusted. The Work Folders IIS site must have a valid internal certificate (can be from your internal CA) for the backend connection.

Step 6: Deploy Work Folders on Windows 10/11 Clients

There are two ways to configure Work Folders on client devices: through the Control Panel UI or via PowerShell / Intune for automated deployment at scale.

# --- Option A: Manual setup via PowerShell on the client ---
# The Set-WorkFolder cmdlet configures the local Work Folders client
# Note: This cmdlet is available on Windows 10/11 clients, not on the server

# Set the sync server URL and accept the policy
Set-WorkFolder -ServerUrl "https://workfolders.contoso.com" -AcceptPolicies

# Check sync status
Get-WorkFolder | Format-List

# --- Option B: Deploy via Intune / MDM (OMA-URI) ---
# OMA-URI: ./User/Vendor/MSFT/WorkFolders/ServerURL
# Value:   https://workfolders.contoso.com
# Data type: String
# This silently configures Work Folders on enrolled devices without user interaction.

# --- Option C: Group Policy (domain-joined devices) ---
# Computer Configuration → Administrative Templates → Windows Components → Work Folders
# Policy: "Specify Work Folders settings"
# Enable and enter: https://workfolders.contoso.com

Step 7: Monitor Sync Activity and Resolve Conflicts

Work Folders logs sync activity to the Windows Event Log on both the server and the client. Conflicts occur when the same file is modified on two devices before a sync round-trip completes.

# --- On the server ---
# View sync share activity (connected users, file counts)
Get-SyncShare -Name "UserData" | Format-List

# Check the Work Folders event log for errors
Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" -MaxEvents 50 |
    Where-Object { $_.LevelDisplayName -in "Error","Warning" } |
    Format-Table TimeCreated, Id, Message -AutoSize

# View per-user data store size
Get-ChildItem -Path "E:WorkFolders" -Directory |
    ForEach-Object {
        $size = (Get-ChildItem $_.FullName -Recurse -File |
                 Measure-Object Length -Sum).Sum / 1MB
        [PSCustomObject]@{ User = $_.Name; SizeMB = [math]::Round($size, 2) }
    } | Sort-Object SizeMB -Descending

# --- Conflict files ---
# Work Folders appends "-Conflict" and a timestamp to the losing version
# List all conflict files across all users
Get-ChildItem -Path "E:WorkFolders" -Recurse -Filter "*-Conflict*" |
    Select-Object FullName, LastWriteTime, @{n="SizeKB";e={[math]::Round($_.Length/1KB,1)}}

Work Folders vs OneDrive for Business

Understanding when to choose Work Folders over OneDrive for Business helps you make the right recommendation for your organisation:

• Data residency: Work Folders stores data entirely on-premises; OneDrive for Business stores data in Microsoft’s cloud. Organisations subject to data sovereignty laws often must use Work Folders or a private cloud equivalent.
• Device requirements: Work Folders works on non-domain-joined Windows 10/11 devices and on older clients; OneDrive for Business has a richer client with offline capabilities and co-authoring support.
• File size limits: Work Folders has no per-file size limit beyond disk capacity; OneDrive for Business supports files up to 250 GB.
• Collaboration: OneDrive for Business integrates with Microsoft 365 co-authoring in Word, Excel, and PowerPoint. Work Folders does not — it is a file sync service, not a collaboration platform.
• Infrastructure cost: Work Folders requires server hardware, licensing, and maintenance; OneDrive for Business is included in Microsoft 365 subscriptions.

Conclusion

Work Folders on Windows Server 2025 provides a robust, entirely on-premises alternative to cloud-based file synchronisation. By requiring device encryption and screen lock policies at the sync share level, you gain compliance assurance that is difficult to enforce with consumer-grade cloud sync tools. The reverse proxy integration means remote workers can synchronise their data securely over the internet without a VPN, reducing friction while keeping data off third-party infrastructure. For organisations that need to meet strict data residency requirements or operate in air-gapped or low-connectivity environments, Work Folders remains the most practical file synchronisation solution in the Microsoft ecosystem. Pair it with DFS Namespaces for high availability and Distributed File System Replication for multi-site redundancy to build a complete enterprise file services platform.